Trust Profiles
Trust profiles (L1, L2, L3) define the security level required for passport verification at a gate. Each level changes what issuers are accepted, what cryptographic proofs are required, and what revocation checks are mandatory.
Overview
Trust profiles are gate-level configuration, you set the minimum trust level a gate will accept, and only passports from issuers at or above that level are admitted.
Higher trust levels mean more cryptographic assurance, stricter revocation checks, and more rigorous issuer vetting. They also require more setup. Choose the level that matches your risk tolerance and deployment context.
Baseline (L1)
Accepted Issuers
Self-issued local issuers (no managed account required). Generated via the Modei SDK.
Replay Protection
Basic nonce checking. Timestamps validated within a reasonable window.
Revocation Check
Optional. Local revocation lists only. No real-time platform check required.
Proof of Possession
Not required. Passport JWT alone is sufficient proof.
Best For
Local development and testing, air-gapped environments, personal automation, early-stage prototyping. Zero account required.
pip install modei-python --pre then AgentCredentials.generate() and PassportIssuer(creds).self_issue(...), that's all you need for L1.Trusted (L2)
Accepted Issuers
Managed issuers created through the Modei platform. Domain ownership verified at creation time.
Replay Protection
Strict. Unique nonce per request, timestamp within 5 minutes. Nonces stored and checked for reuse.
Revocation Check
Mandatory. Platform revocation status checked on every request. Revoked passports are denied immediately.
Proof of Possession
Signature over request body required (not just JWT possession).
Best For
Production deployments, team-managed agents, agents that interact with real APIs, financial transactions, customer data.
Verified (L3)
Accepted Issuers
Third-party verified or certified issuers only. Formal audit required for certification.
Replay Protection
Full Proof of Possession (PoP), challenge-response binding the token to the specific request context.
Revocation Check
Mandatory + real-time Certificate Revocation List (CRL) check. Passports must have short TTLs.
Proof of Possession
Required. Private key must sign a unique challenge for every request.
Best For
Financial services (agents handling real money), healthcare (HIPAA-adjacent), legal workflows, government, high-stakes regulated environments.
Comparison Table
| Feature | L1 | L2 | L3 |
|---|---|---|---|
| Account required | ✗ | ✓ | ✓ |
| Domain verification | ✗ | ✓ | ✓ + audit |
| Replay protection | Basic | Strict | PoP |
| Revocation check | Optional | Mandatory | Mandatory + CRL |
| Signature required | JWT | JWT + body sig | JWT + PoP challenge |
| Issuer type | Self-issued | Managed | Managed + PoP required |
| Setup time | Zero | Minutes | Days (certification) |
| Best for | Dev / low-risk | Production workloads | Sensitive operations |
Related
- Issuers, How trust tiers are assigned to issuers.
- Gates, How gates enforce trust levels.
- No-Code Setup Guide, Step-by-step explanation of trust tiers.